Malware authors turn to EULAs to protect their work

Software companies have a vested interest in protecting their work, whether …

Selling botnets for particular attacks, black markets for stolen identities, and malware construction kits are all now par for the course for the increasingly commercial malware industry. Discovering that malware authors have actually turned to End-User License Agreements (EULAs) in an attempt to protect their own intellectual property, however, most definitely qualifies as something new, different, and beautifully ironic.

Symantec security researcher Liam OMurchu has details on this latest development. The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies. The client does agree to "give the seller a fee for any update to the product that is not connected with errors in the work, as well as for adding additional functionality." Modern license agreements take a great deal of (deserved) fire for being absurdly draconian, but even the likes of Adobe and Microsoft don't claim that purchasing a version of their respective products locks the user into buying future editions.

It's obviously difficult for the manufacturers of an illegal product to threaten legal sanctions against an infringer, but the Zeus authors give it their best shot. According to the EULA, "In cases of violations of the agreement and being detected, the client loses any technical support. Moreover, the binary code of your bot will be immediately sent to antivirus companies." Frankly, "We'll blow your kneecaps off and feed them to you," might be a bit more effective as a threat, but I suppose it's a bit hard to carry out that threat over the Internet.

If the folks behind Zeus are serious—and they seem to be—they've obviously got a rather warped sense of reality. Data thieves and malware authors aren't going to win any "Most Likely to Respect Intellectual Property" competitions, and they may not be particularly intimidated by a promise to turn their work into anti-virus companies, seeing as they can do the same thing to the original author of the malware in question. The prospect of a fully commercialized malware distribution system isn't an idea anyone in security IT relishes, but watching illegal businesses attacking each other over illegal modifications to illegal products could be downright hilarious.